Re: [Solved]: Re: stopping ssh attacks

To: "Roberto C. Sanchez" <roberto@familiasanchez.net>, debian-user@lists.debian.org
Subject: Re: [Solved]: Re: stopping ssh attacks
From: Philip Christian <dieselnutjob@yahoo.co.uk>
Date: Sat, 18 Jun 2005 19:19:04 +0100 (BST)
Message-id: <[🔎] 20050618181904.24330.qmail@web26503.mail.ukl.yahoo.com>
In-reply-to: <[🔎] 20050618134446.GD4702@miami.familiasanchez.net>

I don't bother with that stuff.
One my usernames has a
/home/username/.ssh/authorized_keys which has a public
rsa key in it
then i use the corresponding private key to log in
from another machine (put  it in
/home/username/.ssh/id_rsa on a linux box, or
configure a key file in putty for a windows box)
once you have that working then open up
/etc/ssh/sshd_config and look for "UsePAM yes" and
change it to no, also make sure "PermitRootLogin no"
then restart ssh

no private key, no login

if you need to login from any machine in the world
then put the private key on a usb stick or a floppy or
something

i also allow login on a com port just in case i loose
the key file (the machine has no monitor or keyboard)

Regards, Philip


--- "Roberto C. Sanchez" <roberto@familiasanchez.net>
wrote:

> On Sat, Jun 18, 2005 at 11:15:25AM +0200, Vincent
> Lefevre wrote:
> > On 2005-06-16 11:51:01 -0500, Thomas Stivers
> wrote:
> > > I ended up going with port knocking and just
> installed knockd. Too
> > > cool, i always thought it was harder to set up
> than it is. I even
> > > have it playing nice with shorewall. Thanks for
> the suggestions.
> > 
> > The problem with port knocking is that it doesn't
> allow to connect
> > from everywhere since some providers filter some
> ports. And you also
> > need a client that would know about port knocking,
> right? Is there
> > some package that would do the following, for
> instance: let port 22
> > closed, but after a connection attempt, it is
> temporarily opened
> > after 5 seconds for this address (with a timeout
> of 1 minute). After
> > a successful connection, the address is
> whitelisted.
> > 
> > This would not be difficult to implement, but I
> haven't had the time
> > yet... So, if there's something that already
> exists and does exactly
> > what I want, I'd be very interested.
> 
> Successful TCP connection != Successful SSH
> connection
> 
> This would be quite difficult to implement correctly
> and would require
> very tight coupling between your firewalling
> application and the daemons
> that make us of this.
> 
> Iptables works at layer 2/3, SSH is much higher
> level.  I can make a
> succesful TCP connection to any box out there that
> is listening on a TCP
> port.  That is why I like the doorman approach.  You
> send a specially
> crafted packet on the port to which you want to
> connect.  Any other
> packet is ignored until after the special packet is
> received.  There is
> no need to knock on different ports or to worry
> about ISP filtering.  It
> also works at the same layer as iptables.
> 
> -Roberto
> -- 
> Roberto C. Sanchez
> http://familiasanchez.net/~sanchezr
> 



	
	
		
___________________________________________________________ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail http://uk.messenger.yahoo.com

Reply to:

References:
- Re: [Solved]: Re: stopping ssh attacks
  - From: "Roberto C. Sanchez" <roberto@familiasanchez.net>

Prev by Date: Re: i need space in /root partition
Next by Date: Re: Sarge: mondo problems
Previous by thread: Re: [Solved]: Re: stopping ssh attacks
Next by thread: sarge and kvm-switch
Index(es):
- Date
- Thread